Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Possible XSS vulnerability #156

Closed
enferas opened this issue Apr 6, 2022 · 5 comments · Fixed by #173
Closed

Possible XSS vulnerability #156

enferas opened this issue Apr 6, 2022 · 5 comments · Fixed by #173
Labels

Comments

@enferas
Copy link

enferas commented Apr 6, 2022

Hello,

I would like to report for XSS vulnerability.

In file https://github.com/MoeNetwork/Tieba-Cloud-Sign/blob/master/templates/control.php line 53.

case 'setplug':
  $plug = strip_tags($_GET['plug']);
  $pluginfo = getPluginInfo($plug);

Then, there is an echo in line 62.

echo '<a href="'.$pluginfo['plugin']['url'].'" target="_blank">';

strip_tags is not secure in this case. If you can look to this code example the alert will be printed when you press on the link.

<?php
$x = "'javascript:alert()'";
$y = strip_tags($x);
echo "<a href=$x>ClickMe</a>";
@BANKA2017
Copy link
Collaborator

if (ROLE != 'admin') msg('权限不足!');

if (!file_exists($path . $plugin . '.php')) {
return false;
}

这是一个没有想象中严重的漏洞,我们在前面设置了权限检查挡住了非admin用户的访问,此外文件存在性检查会确保不存在的插件不会被加载,因此触发这个漏洞的需要:

  • 用户为管理员
  • 使用了带有恶意外部链接的插件

感谢您的反馈,我们将会在晚些时候进行修复


translated by deepl.com

if (ROLE != 'admin') msg('权限不足!');

if (!file_exists($path . $plugin . '.php')) {
return false;
}

This is not as serious a vulnerability as you might think, we set up a permission check earlier to block access by non-admin users, in addition the file existence check will ensure that non-existent plugins will not be loaded, so two conditions are required to trigger this vulnerability

  • The user is an administrator
  • A plugin with a malicious url is used

Thank you for your feedback, we will fix it later

@kenvix kenvix added the bug label Apr 7, 2022
@RiotGamesU
Copy link

if (ROLE != 'admin') msg('权限不足!');

if (!file_exists($path . $plugin . '.php')) {
return false;
}

这是一个没有想象中严重的漏洞,我们在前面设置了权限检查挡住了非admin用户的访问,此外文件存在性检查会确保不存在的插件不会被加载,因此触发这个漏洞的需要:

  • 用户为管理员
  • 使用了带有恶意外部链接的插件

感谢您的反馈,我们将会在晚些时候进行修复

translated by deepl.com

if (ROLE != 'admin') msg('权限不足!');

if (!file_exists($path . $plugin . '.php')) {
return false;
}

This is not as serious a vulnerability as you might think, we set up a permission check earlier to block access by non-admin users, in addition the file existence check will ensure that non-existent plugins will not be loaded, so two conditions are required to trigger this vulnerability

  • The user is an administrator
  • A plugin with a malicious url is used

Thank you for your feedback, we will fix it later

礼貌问询deepl.com中译英和英译中效果怎么样

@n0099
Copy link
Collaborator

n0099 commented May 16, 2022

礼貌问询deepl.com中译英和英译中效果怎么样

您已经看到了

@enferas
Copy link
Author

enferas commented Jun 13, 2022

CVE-2022-28920 is assigned for this vulnerability.
Thank you.

@n0099
Copy link
Collaborator

n0099 commented Jun 13, 2022

This is the first CVE assigned to tc in its seven years history.

@n0099 n0099 linked a pull request Jun 14, 2022 that will close this issue
@n0099 n0099 closed this as completed Jun 14, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging a pull request may close this issue.

5 participants